User profile selection using contextual authentication

ABSTRACT

In embodiments, apparatuses, methods and storage media (transitory and non-transitory) are described that are associated with user profile selection using contextual authentication. In various embodiments, a first user of a computing device may be authenticated and have an access control state corresponding to a first user profile established, the computing device may select a second user profile based at least in part a changed user characteristic, and the computing device may present a resource based at least in part on the second user profile. In various embodiments, the computing device may include a sensor and a user profile may be selected based at least in part on an output of the sensor and a previously stored template generated by a machine learning classifier.

CROSS REFERENCE TO RELATED APPLICATION

The present application is a continuation of U.S. application Ser. No.14/581,659, filed Dec. 23, 2014, entitled, “USER PROFILE SELECTION USINGCONTEXTUAL AUTHENTICATION”. The application is hereby incorporated byreference herein in its entirety for all purposes.

TECHNICAL FIELD

The present disclosure relates to the field of data processing, inparticular, to presentation of resource (e.g., content) based at leastin part on a user profile selected by contextual authentication.

BACKGROUND

The background description provided herein is for the purpose ofgenerally presenting the context of the disclosure. Unless otherwiseindicated herein, the materials described in this section are not priorart to the claims in this application and are not admitted to be priorart by inclusion in this section.

Some computing devices, such as tablet computers, are dynamically sharedbetween multiple users. User profiles allow each user to have a morepersonalized user experience by allowing each user to have their own setof applications, social logins, bookmarks, and data. They can also beused to create guest profiles, allowing others to borrow a devicewithout worrying about application or social login conflicts and dataprivacy. Profiles can also be used to restrict content for use bychildren to allow parental control of browsing, application usage, andin-app purchasing. User profiles typically require additional activeuser input to switch from one profile to another which interrupts theflow of the user experience by requiring extra interaction from the useras they pick a profile to load and/or provide active authenticationinformation such as a password.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments will be readily understood by the following detaileddescription in conjunction with the accompanying drawings. To facilitatethis description, like reference numerals designate like structuralelements. Embodiments are illustrated by way of example, and not by wayof limitation, in the Figures of the accompanying drawings.

FIG. 1 is a block diagram of a computing device in an operatingenvironment, in accordance with various embodiments.

FIG. 2 is a block diagram showing additional components of the computingdevice shown in FIG. 1, in accordance with various embodiments.

FIG. 3 is a block diagram of a computing device, in accordance withvarious embodiments.

FIG. 4 is a flow diagram of an example process that may be implementedon various computing devices described herein, in accordance withvarious embodiments

FIG. 5 is a flow diagram of an example process that may be implementedon various computing devices described herein, in accordance withvarious embodiments.

FIG. 6 illustrates an example computing environment suitable forpracticing various aspects of the disclosure, in accordance with variousembodiments.

FIG. 7 illustrates an example storage medium with instructionsconfigured to enable an apparatus to practice various aspects of thepresent disclosure, in accordance with various embodiments.

DETAILED DESCRIPTION

In the following detailed description, reference is made to theaccompanying drawings which form a part hereof wherein like numeralsdesignate like parts throughout, and in which is shown by way ofillustration embodiments that may be practiced. It is to be understoodthat other embodiments may be utilized and structural or logical changesmay be made without departing from the scope of the present disclosure.Therefore, the following detailed description is not to be taken in alimiting sense, and the scope of embodiments is defined by the appendedclaims and their equivalents.

Various operations may be described as multiple discrete actions oroperations in turn, in a manner that is most helpful in understandingthe claimed subject matter. However, the order of description should notbe construed as to imply that these operations are necessarily orderdependent. In particular, these operations may not be performed in theorder of presentation. Operations described may be performed in adifferent order than the described embodiment. Various additionaloperations may be performed and/or described operations may be omittedin additional embodiments.

For the purposes of the present disclosure, the phrase “A and/or B”means (A), (B), or (A and B). For the purposes of the presentdisclosure, the phrase “A, B, and/or C” means (A), (B), (C), (A and B),(A and C), (B and C), or (A, B and C).

The description may use the phrases “in an embodiment,” or “inembodiments,” which may each refer to one or more of the same ordifferent embodiments. Furthermore, the terms “comprising,” “including,”“having,” and the like, as used with respect to embodiments of thepresent disclosure, are synonymous.

As used herein, the term “logic” and “module” may refer to, be part of,or include an Application Specific Integrated Circuit (ASIC), anelectronic circuit, a processor (shared, dedicated, or group) and/ormemory (shared, dedicated, or group) that execute one or more softwareor firmware programs, a combinational logic circuit, and/or othersuitable components that provide the described functionality. The term“module” may refer to software, firmware and/or circuitry that is/areconfigured to perform or cause the performance of one or more operationsconsistent with the present disclosure. Software may be embodied as asoftware package, code, instructions, instruction sets and/or datarecorded on non-transitory computer readable storage mediums. Firmwaremay be embodied as code, instructions or instruction sets and/or datathat are hard-coded (e.g., nonvolatile) in memory devices. “Circuitry”,as used in any embodiment herein, may comprise, for example, singly orin any combination, hardwired circuitry, programmable circuitry such ascomputer processors comprising one or more individual instructionprocessing cores, state machine circuitry, software and/or firmware thatstores instructions executed by programmable circuitry. The modules maycollectively or individually be embodied as circuitry that forms a partof a computing device. As used herein, the term “processor” may be aprocessor core.

Referring now to FIG. 1, a computing device 100, incorporated with theresource presentation teaching of the present disclosure, in accordancewith various embodiments, is illustrated. As shown, computing device 100may include a number of components 102-158, including shared application144 and trusted execution environment (TEE) 114, configured to cooperatewith each other, to select a user profile using contextualauthentication and enable resources (such as contents) to be selectivelyconsumed (viewed, modified, or deleted) by a logged-in user and/or adelegate user based at least in part on the selected user profile,alternatingly with ease. In embodiments, computing device 100 mayinclude one or more processors or processor cores 102, system memory104, a display 106, and a sensor layer including a sensor hub 108 thatmay be coupled together and configured to cooperate with each other. Thedisplay 106 may be a touch sensitive display that also serves as aninput device in various embodiments. For purposes of this application,including the claims, the terms “processor” and “processor cores” may beconsidered synonymous, unless the context clearly requires otherwise. Inembodiments, the sensor layer may include one or more sensor devices, aninput/output (TO) subsystem having IO controllers, internet protocol(IP) blocks, and control logic. In embodiments, as shown, the computingdevice 100 may also include one or more chipsets 110, one or moreexecution environments 112, and one or more trusted executionenvironments (TEE) 114. The sensor layer may include trusted IOtechnology that hardens the IO path between the sensor hub 108 and/orsensor devices and the TEE 114.

Generally, a TEE is a secure environment that may run alongside anoperating system and which can provide secure services to that operatingsystem. More information regarding TEEs and the implementation thereofmay be found in the TEE client application programming interface (API)specification v1.0, the TEE internal API (application programminginterface) specification v1.0, and the TEE system architecture v1.0issued by GlobalPlatform. In some embodiments, the devices describedherein may include a TEE provided using one or more of virtualizationtechnology, enhanced memory page protection, CPU cache as memory pageprotection, security co-processor technology, and combinations thereof.Non-limiting examples of such technology include INTEL® VT-xvirtualization technology, INTEL® VT-d virtualization technology, INTEL®trusted execution technology (TXT), Xeon® internet security andacceleration (ISA) “cache as RAM”, converged security engine (CSE)technology, converged security and manageability engine (CSME)technology, a security co-processor, manageability engine, trustedplatform module, platform trust technology, ARM TRUSTZONE® technology,combinations thereof, and the like. The nature, advantages andlimitations of each of these technologies are well understood and aretherefore not described herein.

In various embodiments, the sensor hub 108 may be in signalcommunication with a motion sensor 116, a fingerprint sensor 118, aBluetooth transceiver 120, a microphone 122, a wireless fidelity (WiFi)transceiver 124, a speaker 126, a camera 128, an ultrasonic sensor 130,and one or more other sensors 140 or input devices 142. In embodiments,the camera 128 may be a video camera. The motion sensor 116 may includean accelerometer or gyroscope in various embodiments. The WiFitransceiver 124 may operate according to at least one of the Instituteof Electrical and Electronics Engineers (IEEE) 802.11 standards and theBluetooth transceiver 120 may operate according to at least one of thestandards defined by the Bluetooth Special Interest Group in variousembodiments.

In embodiments, the execution environment 112 may include an operatingsystem (OS) 142, earlier described shared application 144, and one ormore modules 146. The execution environment 112 may also include storage147 for various variables and resources. The earlier described TEE 114may include secure modules 150 and data 152 in various embodiments. Theshared application 144 and operating system 142 may, in cooperation withsecure modules 150, enforce respective access rights simultaneously fora plurality of users. In embodiments, a continuous passivelyauthenticated context may be maintained for each of the plurality ofusers.

In embodiments, the computing device 100 may be in data communicationwith a local server 160, a remote content server such as a media server162, or a social network server 164 over a network 166 by communicatingwith a wireless router 168 using the WiFi transceiver 124. The sharedapplication 144 may have access to resources that may be consumed(viewed, modified, or deleted) by a logged-in user and/or a delegateuser. The resources may include local resources 158 stored on thecomputing device 100 or resources served or streamed by the local server160, the media server 162, or the social network 164 in variousembodiments. The resources may include other types of resources notshown in embodiments. The logged-in user may access the resources with afirst set of resource access rights while a second delegate user mayaccess the resources with a different set of access rights.

In various embodiments, the computing device 100 may be a shared devicesuch as a tablet computing device that may be used e.g., by a first user170, a second user 174, or a third user 176. In embodiments, one or moreof the users may have a Bluetooth enabled device 180, which may e.g., bea wearable device on the first user 170.

Referring now to FIG. 2, components of the execution environment 112 andTEE 114 are illustrated in further details, in accordance with variousembodiments. The modules 146 of the execution environment 112 mayinclude a login module 202, an access control module 204, and apresentation module 206. The secure modules 150 of the TEE 114 mayinclude a contextual authentication module 210 that includes a sensorprocessing module 212, a profile selection module 214, and a classifiermodule 216. In various embodiments, the classifier module 216 mayclassify data based on sensor output, application usage patterns, oruser interface interaction patterns in a manner such that the data maybe associated with particular users and the classifications ofparticular sensor data patterns, application usage patterns, or userinterface interaction patterns may be considered to be usercharacteristics such that when a user characteristic changes it may beinferred that a user of the computing device 100 has changed. Theclassifier module 216 may be a machine learning classifier in variousembodiments. Embodiments may also include a user proximity module 218 asa part of the secure modules 150 in the TEE 114. Together, these modules202, 204, 206, 150, 210, 212, 214 and 216 may cooperate with each otherto enable the shared application 144 and operating system 142 to enforcerespective access rights simultaneously for the plurality of users,including continuous maintenance of a passively authenticated contextfor each of the plurality of users.

In embodiments, the data 152 stored in the TEE 114 may include a firstuser profile 230, a second user profile 232, a third user profile 234, afirst delegate profile 236, a second delegate profile 238, or one ormore additional profiles 240 in various embodiments. User profiles are away for users to have a more personalized and streamlined userexperience. Profiles allow users to have their own set of applications,social logins, bookmarks, and data in one easily accessible and privateplace. They may be used to create guest profiles, allowing others toborrow a device without worrying about application or social loginconflicts and data privacy. Profiles may also be used to restrictcontent for use by children to allow parental control of browsing,application usage, and in-app purchasing. In embodiments, automaticdevice state based profile settings may be applied on a per-applicationand a per-service basis. For example, the contextual authenticationmodule 210 may distinguish user one 170 using social networkingapplication A hosted by social network server 164, users two and threeusing video streaming service B hosted by media server 162, etc., andmanage specific profiles for each. In embodiments, this automaticmanagement of specific profiles may be combined with machine learning ofuser characteristics, interactions, or behaviors during shared and/orsingle user sessions to tune the profile-controlled behavior for theapplications and services to the user or combination of users.Preferences may be inferred for combinations of users, applications, andservices from other profiles that involve those users, applications orservices in various embodiments.

The data 152 may also include user characteristics templates 242 such asa first template 244, a second template 246, or a third template 248. Inembodiments, the user characteristics templates 242 are based onbiometric or behaviometric data generated by a machine learningclassifier. In various embodiments, the user characteristics templates242 may be included as a part of the user profiles. For example, thefirst user profile 230 may contain the first template 244, the seconduser profile 232 may contain the second template 246, and/or the thirduser profile 234 may contain the third template 248 in embodiments. Thedata 152 may also include a user focus identifier 260 in variousembodiments.

In embodiments, a biometrics and/or behaviometrics machine learning (ML)classifier or set of classifiers may generate reference sample datasuitable for establishing a user identity. In various embodiments, thereference sample data may be generated during a training process andstored as a biometric and/or behaviometric template such as templates244, 246, or 248. The user characteristics templates 242 may begenerated and stored by the classifier module 216 during a trainingprocess, for example. During the training process, the classifier module216 may use machine learning to associate biometric user characteristicssuch as hand movement, gait, or image patterns based at least in part onsensor data with particular users. Biometric characteristics based onhand movement may be based at least in part on accelerometers orgyroscopes detecting relatively imperceptible movements andcharacteristics based on gait may be based at least in part onaccelerometers or gyroscopes detecting walking characteristics invarious embodiments. The classifier module 216 may also use machinelearning to associate behaviometric user characteristics such asapplication usage patterns or user interface interaction patterns withparticular users. Alternatively, the user characteristics templates 242may be generated and stored by other modules or generated by a differentcomputing device and stored on the computing device 100 in otherembodiments.

In various embodiments, the login module 202 may be operated by the oneor more processors 102 to authenticate a user of the computing device100. In embodiments, an active authentication factor such as athumbprint reading using the fingerprint sensor 118 may be used. Theaccess control module 204 may be operated to establish an access controlstate corresponding to a user profile associated with the authenticateduser. For example, if the login module 202 authenticates the first user170, a first access control state corresponding to the first userprofile 230 associated with the first user 170 may be established by theaccess control module 204. The presentation module 206, operated by theone or more processors 102, may present a resource to the authenticateduser based at least in part on the established access control state.

The contextual authentication module 210 may be operated by the one ormore processors 102 to detect a user interaction change associated withthe computing device 100 that indicates a different user, such as thesecond user 174, has device focus. The user interaction change mayinclude a change in biometric or behaviometric characteristicsdetermined by processing sensor data or application or user interfaceusage data in various embodiments, for example. The contextualauthentication module 210 may continuously monitor passiveauthentication factors to detect user characteristics as the computingdevice 100 is being used such that when a change in user characteristicsis detected indicating the computing device 100 is being used by adifferent user, a user profile may be assigned that corresponds to thecurrent rather than the previous user, or alternatively corresponds to adelegate profile of the previous user that may also be based at least inpart upon the current user. The sensor processing module 212 may processa sensor output from the motion sensor 116 and generate the user focusidentifier 260 indicating the second user 174 has device focus, forexample. The profile selection module 214 may be operated by the one ormore processors 102 to select the second user profile 232 based on theuser focus identifier 260 and the second template 246. In embodiments,the contextual authentication module 210 may include a biometrics and/orbehaviometrics ML classifier or set of classifiers as a part of theclassifier module 216 that generate sample data suitable forestablishing a user identity based at least in part on usercharacteristics.

Reference sample data such as may be stored in templates 244, 246, or248 may be used to compare with the sampled data to determine a usermatch. This may include a match of a first user, a second user, or bothusers, for example. The contextual authentication module 210 may alsoinclude a first user focus context classifier and a second user focuscontext classifier that determines when a user has device focus. Devicefocus may be established when a user is observing content on a displayor other content rendering device, or when the user is inputting datathrough an input device such as a computer keyboard, mouse, microphoneor camera. The user focus classifiers may establish to the OS which useris logged-in and which user is a delegate of the first.

In various embodiments, the user proximity module 218 may be operated bythe one or more processors 102 to determine a proximity statusassociated with the currently logged in user, such as the first user170, after the user interaction change associated with the computingdevice 100 that indicates a different user has device focus is detectedby the contextual authentication module 210. The access control module204 may be operated by the one or more processors 102 to terminate thesecond access control state if the proximity status reaches apredetermined value. The predetermined value may correspond to anapproximate distance, such as greater than thirty feet, for example.Other distances may also be used. An approximate distance of a user fromthe computing device 100 may be determined using power levels associatedwith a received signal strength indicator (RSSI) or by using ageographic positioning system (GPS) location, for example. Inembodiments, the user proximity module 218 may detect a proximity statusregardless of whether a user interaction change has been detected.

Referring now to FIG. 3, various embodiments of a computing device 300may include a host system on a chip (SOC) 302 in data communication witha contextual authentication technology (CAT) system 304 operating in aTEE. The host SOC 302 may include a processor or processing cores,memory, graphics, virtualization, and other capabilities suitable forhosting an operating system (OS) and applications. In embodiments, someor all elements of SOC 302 may be implemented as separate componentsrather than being integrated on a SOC. The CAT system 304 may be insignal communication with a sensor layer 306.

In embodiments, the sensor layer 306 may include a sensor hub, one ormore sensor devices, an input/output (IO) subsystem that may include IOcontrollers, internet protocol (IP) blocks, and control logic. Thesensor layer 306 may also include trusted IO technology that hardens theIO path between the sensor hub and/or sensor devices and a TEEsubsystem. Sensor devices may employ a variety of sensing technology andmay include a video camera 308, a microphone 309, an ultrasonic sensor310, a multi-axis motion sensor 312, a wireless radio 313, and an RFIDsensing device 314 in various embodiments. Additional or alternativesensors may also be included in embodiments.

In various embodiments, the CAT system 304 may be implemented in a TEEand be in data communication with one or more user profiles 316. Hostingthe CAT system in a TEE may provide additional protection againstmalware attacks that may exist on the host system OS or applications.The CAT system 304 may include biometric and/or behaviometric machinelearning (ML) classifiers 318 that may be used to generate sample datasuitable for establishing a user identity based at least in part on usercharacteristics such as biometric or behaviometric information.Reference sample data based at least in part on user characteristics andstored in the user profiles 316 may be used to compare with thegenerated sample data to determine a match of a first user, a seconduser, or both users. The CAT system 304 may also include a first userfocus context classifier 320 and a second user focus context classifier322 that may determine when a user has device focus. Device focus may beestablished when a user is observing content on a display or othercontent rendering device, or when a user is inputting data through aninput device such as a computer keyboard, mouse, microphone or camera.The user focus context classifiers 320, 322 may establish to the OSwhich user is logged-in and which user is a delegate of the other. Inembodiments, the biometric and/or behaviometric ML classifiers 318, thefirst user focus context classifier 320, and the second user focuscontext classifier 322 may be included as a part of the contextualauthentication module 210 as discussed with respect to FIG. 2.

In various embodiments, the computing device 300 may be a tabletcomputing device and as a user picks up the computing device 300, theCAT system 304 employs one or more sensors in combination with the MLclassifiers 318 to determine who is attempting to use the computingdevice 300. When the user is authenticated, the CAT system 304 mayaccess the relevant user profile. If an unknown user is detected or theCAT system 304 cannot detect a particular user with a predeterminedconfidence level, the CAT system 304 may offer access to a guestprofile.

The host SOC 302 may host an OS 324 that may allow operation based onuser profiles, indicated in FIG. 3 as a logged-in user 326 and adelegate user 328. The host SOC 302 may host a shared application 330that allows for varying access to one or more resources 332 based onaccess rules such as first user access rules 334 and second user accessrules 336. The shared application 330 may have access to resources 332that may be consumed (viewed, modified, deleted) by a logged-in user orby a delegate user. A first user 340 and a second user 342 may share thecomputing device 300 and each have a user profile stored with the userprofiles 316 as well as a biometric or behaviometric classifier storedwith the classifiers 318. The shared application 330 and the operatingsystem 324 may enforce the first user access rules 334 and the seconduser access rules 336 for the first user 340 and the second user 342.The CAT system 304 may maintain a continuous authenticated context forboth the first and second users using passive authentication based atleast in part on user characteristics such as biometric or behaviometricinformation rather than requiring an active authentication factor forevery user switch. The logged-in user 326 may access the resources 332with a set of resource access rights while the delegate user 328 mayaccess the resources 332 with a different set of access rights. Invarious embodiments, some or all of the components of the computingdevice 300 may be included as a part of the computing device 100described with respect to FIGS. 1 and 2.

FIG. 4 depicts an example process 400 for simultaneously managing accessrights of multiple users that may be implemented by the computing device100 or the computing device 300 described with respect to FIGS. 1-3 inaccordance with various embodiments. In various embodiments, the process400 may be performed by the login module 202, access control module 204,presentation module 206, sensor processing module 212, profile selectionmodule 214, classifier module 216 and/or user proximity module 218. Inother embodiments, the process 400 may be performed with more or lessmodules and/or with some operations in different order. As shown, forthe embodiments, the process 400 may start at a block 402. At operation,404, a first user log-in may be facilitated, and user rightscorresponding to a user profile associated with the first user may beassigned to a user context. This may be performed by accepting apresentation of the first user's thumbprint at the fingerprint sensor118 such that the login module 202 may access the first user profile 230and the access control module 204 may assign user access rightscorresponding to the first user profile 230, for example. The first usermay then be able to access resources such as local resources 158 orresources served or streamed from local server 160, media server 162, orsocial network server 164 based at least in part on the user accessrights assigned by the access control module 204.

At operation 406, the computing device 100 may monitor passiveauthentication factors in a continuous manner. This may be performed bythe sensor processing module 212 of the contextual authentication module210 monitoring the motion sensor 116 and the classifier module 216generating biometric or behaviometric sample data based at least in parton output from the motion sensor 116, for example. Multiple sensors maybe monitored in embodiments or behavioral factors may be used instead ofor in addition to biometric factors. Passive authentication factors mayinclude any combination of biometric or behaviometric authenticationfactors in various embodiments. For example, in embodiments, biometricauthentication factors may include without limitation hand movement orgait characteristics based at least in part on motion sensor data, imagepatterns based at least in part on camera data, or user characteristicsbased at least in part on ultrasonic or infrared sensor data.Behaviometric authentication factors may include, without limitation,patterns of application usage or patterns of user interface interactionin various embodiments.

At a decision block 408, it may be determined whether the first user isobserved. This may be performed by the profile selection module 214comparing biometric data generated by the classifier module 216 or thebiometric ML classifier 318 at least partially based on information fromthe motion sensor 116 or 312 to reference data stored in the template244, for example. The sample and reference biometric or behaviometricdata compared by the profile selection module 214 may be based at leastin part on any combination of sensor data or behavioral patterns invarious embodiments and is not limited to information from the motionsensor 116 or 312.

If the first user is observed, it may be determined at a decision block410 whether a second user is observed. This may be performed by theprofile selection module 214 comparing biometric data generated by theclassifier module 216 or the biometric ML classifier 318 to referencedata stored in the second template 246 and the third template 248, forexample. If a second user is observed, delegate user rights may beassigned to a second user context at a block 412 in various embodiments.This may be performed by the profile selection module 214 selecting thefirst delegate profile 236 based at least in part on the reference datain the second template 246 and biometric data generated by the biometricML classifier 318, for example. The second user may then be able toconsume one or more resources based at least in part on the assigneddelegate user rights in various embodiments. Resource access rights mayoverlap between a logged-in user and a delegate of the logged-in user tosupport resource sharing (e.g., both may view a common display whileconsuming content). However, differential rights may also be enforced insome cases such as a delegate user may not be able to modify a filewhile having an input focus whereas a logged-in user may be able tomodify a file while having input focus, for example. If, at the decisionblock 410, a second observer was not observed, the process 400 may loopback to the operation 406 such that the monitoring of passiveauthentication factors continues.

In embodiments, if at the decision block 408, the first user is notobserved, it may be determined at a decision block 414 whether a seconduser is observed. If a second user is observed at the decision block414, the first user access rights may be rescinded at a block 416. Thismay be performed by the access control module 204 based at least in parton data from the profile selection module 210, for example. The block416 may also include logging in the second user and assigning userrights corresponding to a user profile associated with the second user.This may involve an active authentication factor such as a thumbprintpresented at the fingerprint sensor 118, in embodiments. The second usermay then, at a block 418, logically become the first user for purposesof the logic of the process 400. In embodiments, if, at the decisionblock 414, a second user is not observed, first and second user rightsmay be rescinded at a block 420. This may be performed by the accesscontrol module 204, in embodiments. The process 400 may end at a block422 after the first and second user access rights are rescinded.Although not shown, in embodiments, the process 400 may proceed to astate following the end block 422 where the system monitors for activeauthentication factors such as a thumbprint or a password as may occurif the process returned to the start block 402, for example.

FIG. 5 depicts an example process 500 for presenting resources that maybe implemented by the computing device 100 or 300 in accordance withvarious embodiments. The process 500 may be performed by e.g., earlierdescribed login module 202, access control module 204, presentationmodule 206, sensor processing module 212, profile selection module 214,classifier module 216 and/or user proximity module 218. In alternateembodiments, the process 500 may be performed by more or less modules,and/or in different order. At operation 502, a first user of thecomputing device 100, such as the first user 170, may be authenticatedand a first user profile corresponding to the first user may beselected. This may occur by presentation of a thumbprint to thefingerprint reader 118 or user input of an authentication password inembodiments. At block 504, a first access control state corresponding toa first user profile associated with the first user may be established.For example, a first access control state corresponding to the firstuser profile 230 associated with the first user 170 may be establishedby the access control module 204.

At operation 506, a second user profile may be selected that indicates adifferent user, such as the second user 174, has device focus. Invarious embodiments, selecting the second user profile may includedetecting a user characteristic change at a block 508 and selecting asecond user profile at a block 510 based at least in part on thedetected user characteristic change. Selecting the second user profileat the block 510 may also be based at least in part on the first userprofile such that the second user profile may be a delegate profilerelating to the first user profile.

In embodiments, detecting a user characteristic change at the block 508may include monitoring one or more sensors such as the motion sensor116, the microphone 122, the camera 128, or the ultrasonic sensor 310,for example. Detecting a user characteristic change may further includereceiving a sensor output, such as from the motion sensor 116 at a block508 and classifying the output such as with the classifier module 216 todetermine whether characteristics such as biometric or behaviometriccharacteristics of the current user have changed. A In embodiments, amovement of the computing device 100 or 300 may be detected thatindicates the computing device has been picked up or has been passedfrom one person to another as a part of detecting a user characteristicchange at the block 508.

Selecting a second user profile at the block 510 may also be based atleast in part on the sensor output and a previously stored templatebased at least in part on biometric information associated with thesecond user, the template generated by a machine learning classifier.The template may include biometric reference sample data such as thatdescribed with respect to template 246 that may be generated by theclassifier module 216 during a training process, for example. Inembodiments, receiving the sensor output may be performed by the sensorprocessing module 212 and selecting the user profile may be performed bythe profile selection module 214, for example. At a block 512, a secondaccess control state based at least in part on the second user profilemay be established. This may be performed by the access control module204, for example. In embodiments, the second access control state may bebased at least in part on a delegate user profile.

In various embodiments, a proximity status associated with the firstuser may be determined at a block 514 after establishing the secondaccess control state. This may be performed by the user proximity module218 based at least in part on information received from the Bluetoothenabled device 180 received by the sensor processing module 212, forexample. At a decision block 516, it may be determined whether theproximity status has reached a predetermined value. For example, it maybe determined whether the proximity status has reached a levelcorresponding to greater than approximately 30 feet away from thecomputing device 100. If, at the decision block 516, it is determinedthat the proximity status has not reached the predetermined value, aresource may be presented at a block 518 based at least in part on thesecond access control state. If, at the decision block 516, it isdetermined that the proximity status has reached the predeterminedvalue, the second access state may be terminated at a block 520.

Referring now to FIG. 6, an example computer 600 suitable to practicethe present disclosure as earlier described with reference to FIGS. 1-3is illustrated in accordance with various embodiments. As shown,computer 600 may include one or more processors or processor cores 602,and system memory 604. For the purpose of this application, includingthe claims, the terms “processor” and “processor cores” may beconsidered synonymous, unless the context clearly requires otherwise.Additionally, computer 600 may include one or more graphics processors605, mass storage devices 606 (such as diskette, hard drive, compactdisc read only memory (CD-ROM) and so forth), input/output devices 608(such as display, keyboard, cursor control, remote control, gamingcontroller, image capture device, and so forth), sensor hub 609 that mayfunction in a similar manner as that described with respect to sensorhub 108 of FIG. 1, and communication interfaces 610 (such as networkinterface cards, modems, infrared receivers, radio receivers (e.g.,Bluetooth), and so forth). The elements may be coupled to each other viasystem bus 612, which may represent one or more buses. In the case ofmultiple buses, they may be bridged by one or more bus bridges (notshown).

Each of these elements may perform its conventional functions known inthe art. In particular, system memory 604 and mass storage devices 606may be employed to store a working copy and a permanent copy of theprogramming instructions implementing the operations associated with thecomputing device 100 or the computing device 300, e.g., operationsdescribed for modules 146, 150, 202, 204, 206, 210, 212, 214, 216, 218,318, 320, and 322 shown in FIG. 1-3, or operations shown in process 400of FIG. 4 or process 500 of FIG. 5, collectively denoted ascomputational logic 622. The system memory 604 and mass storage devices606 may also be employed to store a working copy and a permanent copy ofthe programming instructions implementing the operations associated withthe OS 142, the application 144, the OS 324, and the application 330.The system memory 604 and mass storage devices 606 may also be employedto store the data 152, the local resources 158, the user profiles 316,and the resources 332. The various elements may be implemented byassembler instructions supported by processor(s) 602 or high-levellanguages, such as, for example, C, that can be compiled into suchinstructions.

The permanent copy of the programming instructions may be placed intomass storage devices 606 in the factory, or in the field, through, forexample, a distribution medium (not shown), such as a compact disc (CD),or through communication interface 610 (from a distribution server (notshown)). That is, one or more distribution media having animplementation of the agent program may be employed to distribute theagent and program various computing devices.

The number, capability and/or capacity of these elements 608-612 mayvary, depending on whether computer 600 is a stationary computingdevice, such as a set-top box or desktop computer, or a mobile computingdevice such as a tablet computing device, laptop computer or smartphone.Their constitutions are otherwise known, and accordingly will not befurther described.

FIG. 7 illustrates an example at least one non-transitorycomputer-readable storage medium 702 having instructions configured topractice all or selected ones of the operations associated with thecomputing device 100 or the computing device 300, earlier described, inaccordance with various embodiments. As illustrated, at least onecomputer-readable storage medium 702 may include a number of programminginstructions 704. The storage medium 702 may represent a broad range ofpersistent storage medium known in the art, including but not limited toflash memory, dynamic random access memory, static random access memory,an optical disk, a magnetic disk, etc. Programming instructions 704 maybe configured to enable a device, e.g., computer 600, computing device100, or computing device 300, in response to execution of theprogramming instructions, to perform, e.g., but not limited to, variousoperations described for modules 146, 150, 202, 204, 206, 210, 212, 214,216, 218, 318, 320, and 322 shown in FIG. 1-3, or operations of process400 of FIG. 4 or process 500 of FIG. 5. In alternate embodiments,programming instructions 704 may be disposed on multiplecomputer-readable storage media 702.

Referring back to FIG. 6, for an embodiment, at least one of processors602 may be packaged together with memory having computational logic 622configured to practice aspects described for modules 146, 150, 202, 204,206, 210, 212, 214, 216, 218, 318, 320, and 322 shown in FIG. 1-3, oroperations of process 400 or FIG. 4 or process 500 of FIG. 5. For anembodiment, at least one of processors 602 may be packaged together withmemory having computational logic 622 configured to practice aspectsdescribed for modules 146, 150, 202, 204, 206, 210, 212, 214, 216, 218,318, 320, and 322 shown in FIG. 1-3, or operations of process 400 ofFIG. 4 or process 500 of FIG. 5 to form a System in Package (SiP). Foran embodiment, at least one of processors 602 may be integrated on thesame die with memory having computational logic 622 configured topractice aspects described for modules 146, 150, 202, 204, 206, 210,212, 214, 216, 218, 318, 320, and 322 shown in FIG. 1-3, or operationsof process 400 of FIG. 4 or process 500 of FIG. 5. For an embodiment, atleast one of processors 602 may be packaged together with memory havingcomputational logic 622 configured to practice aspects of process 400 ofFIG. 4 or process 500 of FIG. 5 to form a System on Chip (SoC). For atleast one embodiment, the SoC may be utilized in, e.g., but not limitedto, a mobile computing device such as a computing tablet and/or asmartphone.

Machine-readable media (including non-transitory machine-readable media,such as machine-readable storage media), methods, systems and devicesfor performing the above-described techniques are illustrative examplesof embodiments disclosed herein. Additionally, other devices in theabove-described interactions may be configured to perform variousdisclosed techniques.

Examples

Some non-limiting examples are:

Example 1 may include a computing device comprising: one or moreprocessors; a memory coupled with the one or more processors; a loginmodule operated by the one or more processors to authenticate a firstuser of the device and establish a first access control statecorresponding to a first user profile associated with the first user; acontextual authentication module operated by the one or more processorsto select a second user profile based at least in part on a changed usercharacteristic; and a presentation module operated by the one or moreprocessors to present a resource based at least in part on the seconduser profile.

Example 2 may include the subject matter of Example 1, wherein thecomputing device further comprises a sensor, and wherein the contextualauthentication module comprises: a profile selection module operated bythe one or more processors to select the second user profile based atleast in part on an output of the sensor and a previously storedtemplate generated by a machine learning classifier.

Example 3 may include the subject matter of Example 2, wherein thesensor is a motion sensor and wherein the profile selection modulecomprises a biometric machine learning classifier, wherein the profileselection module is to perform a biometric information classification ofthe output of the sensor and select the second user profile based atleast in part on the biometric information classification and thepreviously stored template.

Example 4 may include the subject matter of any one of Examples 1-3,wherein the login module is to authenticate the first user of the devicebased at least in part on an active authentication factor.

Example 5 may include the subject matter of any one of Examples 1-4,wherein the computing device further comprises: an access control moduleoperated by the one or more processors to establish a second accesscontrol state based at least in part on the second user profile; and auser proximity module operated by the one or more processors todetermine a proximity status associated with the first user, wherein theaccess control module is operated by the one or more processors toterminate the second access control state if the proximity statusreaches a predetermined value.

Example 6 may include the subject matter of any one of Examples 1-5,wherein the computing device further comprises a trusted executionenvironment operated by one of the processors to host operation of thecontextual authentication module.

Example 7 may include the subject matter of any one of Examples 1-6,wherein the contextual authentication module is operated by the one ormore processor to select a delegate profile as the second user profile.

Example 8 may include the subject matter of any one of Examples 1-5,wherein the computing device is a tablet computing device, wherein thecontextual authentication module comprises a profile selection moduleoperated by the one or more processors in a trusted executionenvironment to select a second user profile based at least in part on apreviously stored template generated by a machine learning classifier.

Example 9 may include a computer implemented method comprising:authenticating, by a computing device, a first user of the device;establishing, by the computing device, a first access control statecorresponding to a first user profile associated with the first user;selecting, by the computing device, a second user profile based at leastin part on a changed user characteristic; and presenting, by thecomputing device, a resource based at least in part on the second userprofile.

Example 10 may include the subject matter of Example 9, whereinselecting, by the computing device, the second user profile comprises:receiving, by the computing device, a sensor output; performing aclassification of the sensor output to generate sample data; andselecting, by the computing device, the second user profile based atleast in part on the sample data and a previously stored templategenerated by a machine learning classifier.

Example 11 may include the subject matter of Example 10, whereinreceiving comprises receiving a sensor output from a motion sensor,wherein performing comprises performing a biometric classification ofthe motion sensor output to generate biometric sample data, and whereinselecting comprises selecting the second user profile based at least inpart on the biometric sample data and a previously stored biometrictemplate generated by a biometric machine learning classifier.

Example 12 may include the subject matter of any one of Examples 9-11,wherein authenticating, by the computing device, the first user of thedevice is based at least in part on an active authentication factor.

Example 13 may include the subject matter of any one of Examples 9-12,further comprising: establishing, by the computing device, a secondaccess control state based at least in part on the second user profile;determining, by the computing device, a proximity status associated withthe first user; and terminating, by the computing device, the secondaccess control state if the proximity status reaches a predeterminedvalue.

Example 14 may include the subject matter of any one of Examples 9-13,wherein selecting, by the computing device, the second user profilebased at least in part on the changed user characteristic is performedin a trusted execution environment.

Example 15 may include the subject matter of any one of Examples 9-14,wherein the second user profile is a delegate profile.

Example 16 may include the subject matter of any one of Examples 9-13,wherein the computing device is a tablet computing device, whereinselecting, by the computing device, the second user profile based atleast in part on the changed user characteristic comprises selecting ina trusted execution environment, by the computing device, a second userprofile based at least in part on a previously stored template generatedby a machine learning classifier.

Example 17 may include at least one non-transitory computer-readablemedium comprising instructions stored thereon that, in response toexecution of the instructions by a computing device, cause the computingdevice to: authenticate a first user of the device; establish a firstaccess control state corresponding to a first user profile associatedwith the first user; select a second user profile based at least in parton a changed user characteristic; and present a resource based at leastin part on the second user profile.

Example 18 may include the subject matter of Example 17, wherein toselect the second user profile, the computing device is caused to:perform a classification of a sensor output to generate sample data; andselect a second user profile based at least in part on the sample dataand a previously stored template generated by a machine learningclassifier.

Example 19 may include the subject matter of Example 18, wherein thecomputing device is caused to perform a biometric classification of amotion sensor output to generate biometric sample data and wherein thecomputing device is caused to select the second user profile based atleast in part on the biometric sample data and a previously storedbiometric template generated by a biometric machine learning classifier.

Example 20 may include the subject matter of any one of Examples 17-19,wherein the computing device is caused to authenticate the first user ofthe device based at least in part on an active authentication factor.

Example may include the subject matter of any one of Examples 17-20,wherein the computing device is further caused to: establish a secondaccess control state based at least in part on the second user profile;determine a proximity status associated with the first user; andterminate the second access control state if the proximity statusreaches a predetermined value.

Example may include the subject matter of any one of Examples 17-21,wherein the computing device is further caused to select the second userprofile in a trusted execution environment.

Example 23 may include the subject matter of any one of Examples 17-22,wherein the computing device is further caused to select a delegateprofile as the second user profile.

Example 24 may include the subject matter of any one of Examples 17-21,wherein the computing device is a tablet computing device, wherein thetablet computing device is caused to select the second user profile in atrusted execution environment of the tablet computing device based atleast in part on a previously stored template generated by a machinelearning classifier.

Example 25 may include a computing device comprising: means forauthenticating a first user of the device; means for establishing afirst access control state corresponding to a first user profileassociated with the first user; means for selecting a second userprofile based at least in part on a changed user characteristic; andmeans for presenting a resource based at least in part on the seconduser profile.

Example 26 may include the subject matter of Example 25, wherein themeans for selecting the second user profile comprises: means forreceiving a sensor output; means for performing a classification of thesensor output to generate sample data; and means for selecting thesecond user profile based at least in part on the sample data and apreviously stored template generated by a machine learning classifier.

Example 27 may include the subject matter of Example 26, wherein themeans for receiving comprises means for receiving a sensor output from amotion sensor, wherein the means for performing comprises means forperforming a biometric classification of the motion sensor output togenerate biometric sample data, and wherein the means for selectingcomprises means for selecting the second user profile based at least inpart on the biometric sample data and a previously stored biometrictemplate generated by a biometric machine learning classifier.

Example 28 may include the subject matter of any one of Examples 25-27,wherein the means for authenticating the first user of the device isbased at least in part on an active authentication factor.

Example 29 may include the subject matter of any one of Examples 25-28,further comprising: means for establishing a second access control statebased at least in part on the second user profile; means for determininga proximity status associated with the first user; and means forterminating the second access control state if the proximity statusreaches a predetermined value.

Example 30 may include the subject matter of any one of Examples 25-29,wherein the means for selecting the second user profile based at leastin part on the changed user characteristic is in a trusted executionenvironment.

Example 31 may include the subject matter of any one of Examples 25-30,wherein the second user profile is a delegate profile.

Example 32 may include the subject matter of any one of Examples 25-29,wherein the computing device is a tablet computing device, wherein themeans for selecting the second user profile based at least in part onthe changed user characteristic comprises means for selecting in atrusted execution environment a second user profile based at least inpart on a previously stored template generated by a machine learningclassifier.

Although certain embodiments have been illustrated and described hereinfor purposes of description, a wide variety of alternate and/orequivalent embodiments or implementations calculated to achieve the samepurposes may be substituted for the embodiments shown and describedwithout departing from the scope of the present disclosure. Thisapplication is intended to cover any adaptations or variations of theembodiments discussed herein. Therefore, it is manifestly intended thatembodiments described herein be limited only by the claims.

Where the disclosure recites “a” or “a first” element or the equivalentthereof, such disclosure includes one or more such elements, neitherrequiring nor excluding two or more such elements. Further, ordinalindicators (e.g., first, second or third) for identified elements areused to distinguish between the elements, and do not indicate or imply arequired or limited number of such elements, nor do they indicate aparticular position or order of such elements unless otherwisespecifically stated.

1-24. (canceled)
 25. At least one non-transitory computer-readablemedium (CRM) comprising instructions to cause a computer server remotefrom a mobile phone, in response to execution of the instructions by oneor more processors of the computer server, to: receive datarepresentative of usage characteristics of a user of the mobile phone;establish a usage characteristic profile of the user based at least inpart on the received data representative of usage characteristics of theuser; and store the established usage characteristic profile of the userremotely from the mobile phone; wherein the usage characteristic profileremotely stored from the mobile phone is subsequently used toauthenticate whether an attempting user making an attempt to access aresource with the mobile phone is the user.
 26. The non-transitory CRMof claim 25, wherein the data representative of usage characteristics ofa user of the mobile phone comprise behaviometric data of the usercollected while the user is using the mobile phone.
 27. Thenon-transitory CRM of claim 26, wherein the behaviometric data of theuser comprise pressure data, placement data, swipe speed data ormovement data collected while the user is using the mobile phone. 28.The non-transitory CRM of claim 25, wherein the usage characteristicsprofile of the user comprises a usage characteristics model of the user.29. The non-transitory CRM of claim 25, wherein the data, the usagecharacteristics, and the user are respectively first data, first usagecharacteristics, and first user; and the computer server is furthercaused to receive second data representative of second usagecharacteristics of a second user of the mobile phone, and determine, inresponse to the receipt of the second data, a confidence level withrespect to whether the first and second users are the same user.
 30. Thenon-transitory CRM of claim 25, wherein the computer server is caused tocontinuously receive data representative of usage characteristics of themobile phone, and monitor, continuously, usage characteristics of themobile phone.
 31. The non-transitory CRM of claim 25, wherein asuccessful result of the authentication includes identification of theuser.
 32. The non-transitory CRM of claim 25, wherein a successfulresult of the authentication includes verification that the attemptinguser making the attempt to access the resource with the mobile phone isthe user.
 33. The non-transitory CRM of claim 25, wherein a result ofthe authentication is used to allow or disallow usage of an application.34. The non-transitory CRM of claim 25, wherein a result of theauthentication is used to determine an access control state of themobile phone.
 35. A method comprising: receiving, by a computer serverremote from a mobile phone, data representative of usage characteristicsof a user of the mobile phone; establishing, by the computer server, ausage characteristic profile of the user based at least in part on thereceived data representative of usage characteristics of the user; andstoring, by the computer server, the established usage characteristicprofile of the user remotely from the mobile phone; wherein the usagecharacteristic profile remotely stored from the mobile phone issubsequently used to authenticate whether an attempting user making anattempt to access a resource of the mobile phone is the user.
 36. Themethod of claim 35, wherein the data representative of usagecharacteristics of a user of a mobile phone comprise behaviometric dataof the user collected while the user is using the mobile phone.
 37. Themethod of claim 36, wherein the behaviometric data of the user comprisepressure data, placement data, swipe speed data or movement datacollected while the user is using the mobile phone.
 38. The method ofclaim 35, wherein the usage characteristics profile of the usercomprises a usage characteristics model of the user.
 39. The method ofclaim 35, wherein the data, the usage characteristics, and the user arerespectively first data, first usage characteristics, and first user;and the method further comprises receiving, by the computer server,second data representative of second usage characteristics of a seconduser of the mobile phone, and determining, by the computer server, inresponse to the receipt of the second data, a confidence level withrespect to whether the first and second users are the same user.
 40. Themethod of claim 35, wherein the method further comprises continuouslyreceiving, by the computer server, data representative of usagecharacteristics of the mobile phone, and monitoring, by the computerserver, continuously, usage characteristics of the mobile phone.
 41. Themethod of claim 35, wherein a successful result of the authenticationincludes identification of the user.
 42. The method of claim 35, whereina successful result of the authentication includes verification that theattempting user making the attempt to access the resource with themobile phone is the user.
 43. The method of claim 35, wherein a resultof the authentication is used to allow or disallow usage of anapplication.
 44. The method of claim 35, wherein a result of theauthentication is used to determine an access control state of themobile phone.
 45. An apparatus comprising; one or more processor;memory; a security module stored in the memory, and executed by the oneor more processor to: receive data representative of usagecharacteristics of a user of the mobile phone; establish a usagecharacteristic profile of the user based at least in part on thereceived data representative of usage characteristics of the user; andstore the established usage characteristic profile of the user remotelyfrom the mobile phone; wherein the usage characteristic profile remotelystored from the mobile phone is subsequently used to authenticatewhether an attempting user making an attempt to access a resource of themobile phone is the user.
 46. The apparatus of claim 45, wherein thedata representative of usage characteristics of a user of a mobile phonecomprise behaviometric data of the user collected while the user isusing the mobile phone.
 47. The apparatus of claim 45, wherein the data,the usage characteristics and the user are respectively first data,first usage characteristics, and first user; and the security module isfurther executed to receive second data representative of second usagecharacteristics of a second user of the mobile phone, and determine, inresponse to the receipt of the second data, a confidence level withrespect to whether the first and second users are the same user.
 48. Theapparatus of claim 45, wherein the security module is further executedto continuously receive data representative of usage characteristics ofthe mobile phone, and to monitor, continuously, usage characteristics ofthe mobile phone.
 49. The apparatus of claim 45, wherein a successfulresult of the authentication includes identification of the user,verification that the attempting user making the attempt to access theresource with the mobile phone is the user, or allowance or disallowanceof usage of an application.